-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support function authentication with OpenFaaS IAM #996
Conversation
This is a mistake, I updated the example and I can confirm the |
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Don't exit the program when looking up the auth config fails but print a warning instead. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@@ -23,14 +23,14 @@ func Test_invoke(t *testing.T) { | |||
s := test.MockHttpServer(t, []test.Request{ | |||
{ | |||
Method: http.MethodPost, | |||
Uri: "/function/" + funcName, | |||
Uri: "/function/" + funcName + ".openfaas-fn", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the namespace needed now?
It should still be possible to invoke without a namespace suffix, so I'm unsure why this change was made.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The go-sdk which, is now used to invoke functions, always needs a namespace to be specified. This is required for getting access tokens for functions if the function is authenticated (the full reference to a function, including the namespace, is required to request an access token)
This is why a function will always be invoked in the default namespace openfaas-fn
if no namespace is provided explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please could you respond to the comments?
Ensure the default sdk client reads the provider url from the stack file if the '--yaml/-f' flag is used. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Try to lookup the function namespace in the stack file before falling back to the default namespace. This is the default behaviour for all other commands and should be implemeted for invoke as well. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Set env variables that are normally injects by the provider like, 'OPENFAAS_NAME' and 'OPENFAAS_NAMESPACE' when running function with local-run. This change makes it possible to use built-in function authentication with local-run. The 'jwt_auth_local' env variable is to true by default to help with this. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
Description
Support invoking functions that have the OpenFaaS IAM based built in function authentication enabled.
The CLI now uses the
client.InvokeFunction
method from the OpenFaaS go-sdk to invoke functions. Support for IAM authentication is part of the go-sdk. The SDK will handle exchanging the OpenFaaS API access token for a function access token that is only valid for the requested function.The invoke command automatically tries to detect if a function requires authentication. This is done by invoking the function without an
Authorization
header. If the function responds with a 401 (Unauthorized) response status the CLI looks at the realm directive in theWWW-Authenticate
header to check if the function requires authentication. The request is retried this time with authentication.This change also adds a new optional flag,
--auth
to the invoke command. If the flag is set the CLI will skip the check to detect if authentication is required and immediately invoke the function with a function access token.When running function with the
local-run
command, theOPENFAAS_NAME
andOPENFAAS_NAMESPACE
envvariables are set together with
jwt_local_auth
to support built-in function authentication.Motivation and Context
Support IAM authentication for functions.
How Has This Been Tested?
Unit test were added to cover changes.
Verified header, query parameters, and the content type set through flags are correctly used in the request.
Verified it is possible to sign the request.
Verified functions without authentication can be invoked.
Verified functions that require authentication can be invoked.
Verified the bearer is included in the first call when the
--auth
flag is set.Verified functions that require authentication can be invoked asynchronously.
Types of changes
Checklist:
git commit -s